Net::SSH::Perl::Auth::PublicKey performs publickey authentication with a remote sshd server. When you create a new PublicKey auth object, you give it an $ssh object, which should contain an open connection to an ssh daemon, as well as any data that the authentication module needs to proceed. In this case, for example, the $ssh object might contain a list of identity files (see the docs for Net::SSH::Perl).

The authenticate method first tries to establish a connection to an authentication agent. If the attempt is successful, authenticate loops through each of the identities returned from the agent and tries each identity against the sshd, entering into a dialog with the server: the client sends the public portion of the key to determine whether the server will accept it; if the server accepts the key as authorization, the client then asks the agent to sign a piece of data using the key, which the client sends to the server. If the server accepts an identity/key, authentication is successful.

If the agent connection attempt fails, or if none of the identities returned from the agent allow for successful authentication, authenticate then tries to load each of the user's private key identity files (specified in the Net::SSH::Perl constructor, or defaulted to $ENV{HOME}/.ssh/id_dsa). For each identity, authenticate enters into a dialog with the server. The client sends a message to the server, giving its public key, plus a signature of the key and the other data in the message (session ID, etc.). The signature is generated using the corresponding private key. The sshd receives the message and verifies the signature using the client's public key. If the verification is successful, the authentication succeeds.

When loading each of the private key files, the client first tries to load the key using an empty passphrase. If this fails, the client either prompts the user for a passphrase (if the session is interactive) or skips the key altogether.